Skip to main content

Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability - Input Validation Error

Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability

Recently when we run a symantec server scan on our server, we got a warning like  "Comment Rating Plugin for WordPress 'id' Parameter SQL Injection Vulnerability" and it was listed under "Insufficient User Input Validation" class.



Comment Rating Plugin ( Bob King Comment Rating 2.9.23 ) for WordPress  contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ck-processkarma.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Vulnerable version of plugin : Bob King Comment Rating 2.9.23 ( http://wealthynetizen.com ). other versions may also be affected.

Bug Type : Input Validation Error ( Insufficient User Input Validation )


How this works?
Wordpress Comment Rating plugin version 2.9.23 is prone to SQL injection vulnerability. Attackers can use a browser to exploit this issue.  The flaws are caused by improper validation of user-supplied input via the 'id' parameter to '/wp-content/plugins/comment-rating/ck-processkarma.php',which allows attackers to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation will allow attacker to perform SQL Injection attack and gain sensitive information.

The following example attack URI is available:

http://WWW.YOUR_WEBSITE.COM/wp-content/plugins/comment-rating/ck-processkarma.php?path=1&action=1&id=1%20and%201=2%20--%20



This bug is reported on BugTraq http://www.securityfocus.com/bid/46482/info


How to fix?

Updates are available. Upgrade to version 2.9.24 or higher, as it has been reported to fix this vulnerability.


Download and install the latest plugin from http://wealthynetizen.com/wordpress-plugin-comment-rating/

Or Update with the latest Rating Wordpress plugin at http://wordpress.org/extend/plugins/comment-rating

Popular posts from this blog

How to apply for a new ration card and what are the documents required?

List of documents required for new ration card application in Kerala and how to apply


Application for a new ration card should be addressed to Taluk Supply Officer (TSO) / City Rationing Officer (CRO) of applicant's residing area.

Primary document required are Residence certificate, Income certificate and incase the applicant's name is in another ration card then he/she should submit the reduction certificate ontained from previous TSO / CRO as proof for removing his/her name from old Ration card.

You can get the new application from your currently residing Taluk Supply Office.

Payback Points - How to redeem - How to merge multiple payback accounts - Block Payback card - Payback customer care

Joomla and Forum Integration - Integrating Forums to Joomla

Joomla is one of the most popular CMS opensource packages. It is very easier to develop website's using Joomla. You just need to download Joomla package from Joomla's Official website www.joomla.org  and install it on your domain and later adding customizations to templates and feature and Your website is ready :). Now a days most websites provides a forum section for it users for discussing various article topics, gathering opinions etc.



Following are some best know forum opensource packages which can be integrated with Joomla and create a new forum experience for users


Urgent Openings for PHP trainees, Andriod / IOS developers and PHP developers in Kochi Trivandrum Calicut and Bangalore. Please Send Your updated resumes to recruit.vo@gmail.com   Read more »
Member
Search This Blog